Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 3702f3385e570e11422633da2c7a2136f222bfb7^! / . / private / compat / 31.0 / 31.0.cil
commit3702f3385e570e11422633da2c7a2136f222bfb7[log] [tgz]
authorMaciej Żenczykowski <maze@google.com>Thu Nov 11 01:51:15 2021 -0800
committerMaciej Żenczykowski <maze@google.com>Thu Nov 11 02:54:21 2021 -0800
tree9616f9fa338457d13c330b03a6ee0d95a769ba78
parentf7d7c221154b3b0ff40019cbfd2306b7e0c34b35 [diff] [blame]
introduce new 'proc_bpf' for bpf related sysctls

What to tag chosen based on output of:
  find /proc 2>/dev/null | egrep bpf
on a 5.10 kernel.

Tagged with prefixes to be more likely not require changes in the future

  $ adb root
  $ adb shell 'ls -lZ /proc/sys/net/core/bpf_* /proc/sys/kernel/*bpf*'

Before:
  -rw-r--r-- 1 root root u:object_r:proc:s0      0 2021-11-11 02:11 /proc/sys/kernel/bpf_stats_enabled
  -rw-r--r-- 1 root root u:object_r:proc:s0      0 2021-11-11 02:11 /proc/sys/kernel/unprivileged_bpf_disabled
  -rw-r--r-- 1 root root u:object_r:proc_net:s0  0 2021-11-11 02:11 /proc/sys/net/core/bpf_jit_enable
  -rw------- 1 root root u:object_r:proc_net:s0  0 2021-11-11 02:11 /proc/sys/net/core/bpf_jit_harden
  -rw------- 1 root root u:object_r:proc_net:s0  0 2021-11-11 02:11 /proc/sys/net/core/bpf_jit_kallsyms
  -rw------- 1 root root u:object_r:proc_net:s0  0 2021-11-11 02:11 /proc/sys/net/core/bpf_jit_limit

After:
  -rw-r--r-- 1 root root u:object_r:proc_bpf:s0  0 2021-11-11 02:08 /proc/sys/kernel/bpf_stats_enabled
  -rw-r--r-- 1 root root u:object_r:proc_bpf:s0  0 2021-11-11 02:08 /proc/sys/kernel/unprivileged_bpf_disabled
  -rw-r--r-- 1 root root u:object_r:proc_bpf:s0  0 2021-11-11 02:08 /proc/sys/net/core/bpf_jit_enable
  -rw------- 1 root root u:object_r:proc_bpf:s0  0 2021-11-11 02:08 /proc/sys/net/core/bpf_jit_harden
  -rw------- 1 root root u:object_r:proc_bpf:s0  0 2021-11-11 02:08 /proc/sys/net/core/bpf_jit_kallsyms
  -rw------- 1 root root u:object_r:proc_bpf:s0  0 2021-11-11 02:08 /proc/sys/net/core/bpf_jit_limit

Test: TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I46ea81ff42d3b915cf7a96735dc2636d9808ead6

diff --git a/private/compat/31.0/31.0.cil b/private/compat/31.0/31.0.cil
index 061edca..eaf971b 100644
--- a/private/compat/31.0/31.0.cil
+++ b/private/compat/31.0/31.0.cil

@@ -1964,6 +1964,7 @@
 (typeattributeset privapp_data_file_31_0 (privapp_data_file))
 (typeattributeset proc_31_0
   ( proc
+    proc_bpf
     proc_cpu_alignment
 ))
 (typeattributeset proc_abi_31_0 (proc_abi))
@@ -1996,7 +1997,10 @@
 (typeattributeset proc_misc_31_0 (proc_misc))
 (typeattributeset proc_modules_31_0 (proc_modules))
 (typeattributeset proc_mounts_31_0 (proc_mounts))
-(typeattributeset proc_net_31_0 (proc_net))
+(typeattributeset proc_net_31_0
+  ( proc_bpf
+    proc_net
+))
 (typeattributeset proc_net_tcp_udp_31_0 (proc_net_tcp_udp))
 (typeattributeset proc_overcommit_memory_31_0 (proc_overcommit_memory))
 (typeattributeset proc_page_cluster_31_0 (proc_page_cluster))